Set Up an OIDC Service Provider in SSO

This topic describes how to add an OpenID Connect (OIDC) external identity provider to your Pivotal Single Sign-On (SSO) service plan, using Azure Active Directory (Azure AD) as an example.

Follow the steps below to set up an OIDC provider for the SSO service.

Log in to the SSO dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN using your UAA administrator credentials. You can find these credentials in your Elastic Runtime tile in Ops Manager under the Credentials tab.

Click the plan name and select Manage Identity Providers from the drop-down menu.

Click New Identity Provider.

Enter an Identity Provider Name. This value in all lowercase with dashes replacing spaces becomes your Origin Key. For example, Example Azure Origin becomes example-azure-origin. If you did not enter this for your OAuth Client’s authorized redirect URIs, go back and edit the value in Azure.

Enter a Description. Space developers see this description when they select an identity provider for their app.

Under Identity Provider type, select OpenID Connect .

Clear the Enable Discovery checkbox and enter the following information from the OpenID Connect metadata endpoint you constructed at the end of the previous section.

For Authorization Endpoint URL, enter in the authorization_endpoint value from the metadata endpoint.

For Token Endpoint URL, enter the token_endpoint value from the metadata endpoint.

For Token Key, enter the jwks_uri value from the metadata endpoint.

For Issuer, enter the issuer value from the metadata endpoint.

For User Info Endpoint URL, enter the userinfo_endpoint value from the metadata endpoint.

For Response Type, select id_token.

For Relying Party OAuth Client ID, enter the Application ID value recorded from the previous section.

For Relying Party OAuth Client Secret, enter the Client Secret value recorded in the previous section.